Electronic marketing, or e-marketing, is a type of advertising that includes marketing activities conducted by an organisation online using the Internet and online based digital technologies such as mobile phones, computers, and other digital media platforms to promote products and services. If your organisation relies on electronic marketing, you need to be aware of the rules around its use. The Privacy and Electronic Communications Regulation (PECR) – rather than the GDPR, is the law that regulates the rules around electronic communications. PECR covers marketing by electronic means (electronic marketing), the use of cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences., security of public electronic communication servers, and privacy of customers using communication network or services.
This blog will not focus on the ‘ins and outs’ of PECR as a whole (you can read our guide for that), but will break down the guidance on electronic marketing.
The basic rule enshrined in PECR on marketing is that you must not send electronic mail marketing to individuals unless:
Even where one of the above scenarios is met, there are a few more considerations to keep in mind:
This rule is the same if you are sending marketing via emails, texts, videos, voicemails, direct messages via social media or similar messages that are stored electronically. ‘Electronic mail’ has an intentionally broad meaning that includes various forms for messaging. The agreed definition is:
“Any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”.
Unlike sales and marketing calls, there is no version of the Telephone Preference Service (TPS) for email and electronic marketing. The TPS is the UK’s ‘do not call’ list for both landlines and mobiles and allows both business and individuals to opt out of all marketing and sales calls in one foul swoop. Bearing this in mind, if planning to market to people over the phone, it is important to cross-reference your contact list with the TPS so as not to unwittingly call someone who has opted out, leaving your organisation in breach of their obligations under PECR and the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU..
Aside from when you can rely on the soft opt-in exception (explained below), you should only electronically market to individuals if they have given their specific consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. to receive electronic marketing from your organisation. They can do this by ticking an opt-in box and/or signing up to your mailing lists.
It is important to familiarise yourself with the rules around consent and what it should entail. PECR defines consent in the same way that the UK GDPR does in Article 7. Consent must be:
If you fail to gain the proper consent, and meet the above criteria, then you could end up in hot water with the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).), as well as reputational damage resulting from unhappy customers or prospects. You should also keep in mind that consent does not last forever, it is important to regularly review your electronic marketing databases and remove any contacts that are not engaged.
‘Soft opt-in’ is the exception to the rule that consent must be gained prior to sending electronic marketing messages to individuals. This exception allows you to send direct marketing to already existing customers or active prospect customers (e.g. those that have downloaded a brochure) that may not have necessarily given their explicit consentA clear and unambiguous expressed statement of consent. This can be provided in writing, by filling out online forms using electronic signatures, or even via oral statements (so long as the conditions for valid consent have been met).. Without spoiling our previous blog, soft opt-in allows you to market similar products and services, even if they have not consented. However, you are required to give them a chance to opt out. The crucial point to note here is that this rule does not apply to non-commercial promotions like political campaigns or charity fundraising.
Depending on what type of business you are planning to market to, the rules you need to follow may be slightly different. Sole traders and some partnerships are treated as individuals, so the requirement to gain consent will apply.
However, you can send electronic marketing to almost any corporate body, including companies, Scottish partnerships, limited liability partnerships, or government bodies by relying on legitimate interestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.. However, if someone can be identified by the professional email address you are marketing to (e.g. name@company.com), you need to be mindful that the UK GDPR will apply.
In addition, you should still, just as good practice, keep a “do not email or text” list of any business that objects or wishes to opt out. You should also screen any new marketing contacts against this list.
(For more information on how corporate structures effect GDPR compliance, click here to read our blog)
The same rules apply if you send a viral message or if you ‘instigated’ someone else to send it on your behalf. ‘Instigating’ a message is when you ask your customers to forward marketing messages onto their contacts. You will only be responsible under PECR if you have encouraged your customers to forward on the marketing message.
It is also wise to avoid any kind of marketing where you ask your customers to provide their contacts’ contact details (such as for a referral scheme), as one person cannot provide consent on another’s behalf to receive marketing messages.
Any marketing delivered via social media will need to comply with these rules too. PECR do not set rules on other types of online marketing, banner or display ads for example, but there are specific rules on cookies. Cookies are often used to profile users and target behavioural advertising. You can find the ICO’s rules on cookies here.
As well as the above, you and your organisation should consider the following:
If electronic marketing is something your organisation utilises, you need to be up to date and ensure you comply with the ICO’s guidance. If you, or your organisation, need help with electronic marketing and remaining compliant with both the UK GDPR and PECR, contact our team.